Habilidades allaymc-plugin-dev Histórico de auditoria
📦

Histórico de auditoria

allaymc-plugin-dev - 6 auditorias

Versão da auditoria 6

Mais recente Baixo Risco

Jun 28, 2026, 09:19 AM

Static analysis reported many high-risk patterns, but manual review found they come from LGPL license prose, Markdown code formatting, and legitimate git or Gradle workflow examples. No prompt injection, credential access, data exfiltration, obfuscated code, or malicious network behavior was found in LICENSE, README.md, or SKILL.md. The skill is low risk because it can guide users or agents to run standard development commands and read local reference paths.

3
Arquivos analisados
647
Linhas analisadas
2
Review items
4
False positives ignored
Static false positives ignored (4)

These static matches were dismissed by semantic review or matched schema-only tokens, so they are shown for transparency but do not drive the quality score.

Baixo
Static License Text Matches Are False Positives
Verdict: FALSE_POSITIVE. The reported weak cryptography and reconnaissance hits in LICENSE are standard LGPL prose. The cited lines contain license language about software freedom, libraries, source copies, offers, and operating systems, not executable code or cryptographic APIs.
The cited locations are inside the GNU LGPL text and contain no runnable code. The wording explains legal permissions and distribution terms, so the static signatures do not indicate a threat.
Baixo
Markdown Backticks Flagged as Shell Execution
Verdict: FALSE_POSITIVE with a low operational caution. README.md and SKILL.md use Markdown backticks and fenced bash examples for installation, updates, and AllayGradle build tasks. These are transparent developer commands, not hidden Ruby backtick execution or command injection.
The backtick characters are Markdown formatting around file names, identifiers, and visible commands. The only shell commands are normal git and Gradle operations that a plugin development skill would reasonably document.
Baixo
Path References Are Documentation, Not Traversal
Verdict: FALSE_POSITIVE with a low operational caution. README.md references installation directories, including a Codex skills path, and SKILL.md references template and API paths under references. The ellipsis in a Java source path is explanatory shorthand, not a traversal directive outside the project.
The path strings are visible documentation for where the skill and bundled references live. I found no instruction to read hidden secrets, enumerate sensitive directories, or use user input in filesystem access.
Baixo
Skill Metadata Keyword Matches Are False Positives
Verdict: FALSE_POSITIVE. Static hits in SKILL.md around the description, Gradle metadata, lifecycle heading, and API mismatch troubleshooting are ordinary AllayMC plugin guidance. They do not show weak cryptography, network reconnaissance, or system reconnaissance intent.
The lines describe plugin development metadata and troubleshooting. There are no network probing commands, cryptographic calls, or system enumeration instructions at these locations.

Fatores de risco

Auditado por: codex

Versão da auditoria 5

Seguro

Jan 16, 2026, 03:04 PM

This is a prompt-only documentation skill containing guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. Static findings are false positives triggered by markdown documentation patterns (backticks in code blocks) and LGPL-2.1 license legal text. The skill reads reference materials via user-initialized git submodules.

4
Arquivos analisados
858
Linhas analisadas
2
Review items
0
False positives ignored
Auditado por: claude

Versão da auditoria 4

Seguro

Jan 16, 2026, 03:04 PM

This is a prompt-only documentation skill containing guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. Static findings are false positives triggered by markdown documentation patterns (backticks in code blocks) and LGPL-2.1 license legal text. The skill reads reference materials via user-initialized git submodules.

4
Arquivos analisados
858
Linhas analisadas
2
Review items
0
False positives ignored
Auditado por: claude

Versão da auditoria 3

Seguro

Jan 10, 2026, 10:15 AM

This is a prompt-only skill containing documentation and guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. References external git submodules that are initialized by the user.

4
Arquivos analisados
653
Linhas analisadas
0
Review items
0
False positives ignored
Nenhum problema de segurança encontrado
Auditado por: claude

Versão da auditoria 2

Seguro

Jan 10, 2026, 10:15 AM

This is a prompt-only skill containing documentation and guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. References external git submodules that are initialized by the user.

4
Arquivos analisados
653
Linhas analisadas
0
Review items
0
False positives ignored
Nenhum problema de segurança encontrado
Auditado por: claude

Versão da auditoria 1

Seguro

Jan 10, 2026, 10:15 AM

This is a prompt-only skill containing documentation and guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. References external git submodules that are initialized by the user.

4
Arquivos analisados
653
Linhas analisadas
0
Review items
0
False positives ignored
Nenhum problema de segurança encontrado
Auditado por: claude